index.html
16.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"><html lang="en-US"><head>
<meta content="text/html;charset=UTF-8" http-equiv="content-type">
<title>The From-Origin Header</title>
<style type="text/css">
pre.idl { border:solid thin; background:#eee; color:#000; padding:0.5em }
pre.idl :link, pre.idl :visited { color:inherit; background:transparent }
pre code { color:inherit; background:transparent }
div.example { margin-left:1em; padding-left:1em; border-left:double; color:#222; background:#fcfcfc }
.note { margin-left:2em; font-weight:bold; font-style:italic; color:#008000 }
p.note::before { content:"Note: " }
.XXX { padding:.5em; border:solid #f00 }
p.XXX::before { content:"Issue: " }
dl.switch { padding-left:2em }
dl.switch > dt { text-indent:-1.5em }
dl.switch > dt:before { content:'\21AA'; padding:0 0.5em 0 0; display:inline-block; width:1em; text-align:right; line-height:0.5em }
dl.domintro { color: green; margin: 2em 0 2em 2em; padding: 0.5em 1em; border: none; background: #DDFFDD; }
dl.domintro dt, dl.domintro dt * { color: black; text-decoration: none; }
dl.domintro dd { margin: 0.5em 0 1em 2em; padding: 0; }
dl.domintro dd p { margin: 0.5em 0; }
dl.domintro:before { display: table; margin: -1em -0.5em -0.5em auto; width: auto; content: 'This box is non-normative. Implementation requirements are given below this box.'; color: red; border: solid 2px; background: white; padding: 0 0.25em; }
em.ct { text-transform:lowercase; font-variant:small-caps; font-style:normal }
dfn { font-weight:bold; font-style:normal }
code { color:orangered }
code :link, code :visited { color:inherit }
hr:not(.top) { display:block; background:none; border:none; padding:0; margin:2em 0; height:auto }
table { border-collapse:collapse; border-style:hidden hidden none hidden }
table thead { border-bottom:solid }
table tbody th:first-child { border-left:solid }
table td, table th { border-left:solid; border-right:solid; border-bottom:solid thin; vertical-align:top; padding:0.2em }
.warning { color: red; background: transparent; font-weight: bolder; font-style: italic; }
.warning p:first-child { margin-top: 0; }
.warning p:last-child { margin-bottom: 0; }
.warning:before { font-style: normal; }
p.warning:before { content: '\26A0 Warning! '; }
@media print {
[data-anolis-spec]::after { content:"[" attr(data-anolis-spec) "]"; font-size:.6em; vertical-align:super; text-transform:uppercase }
}
</style>
<link href="http://www.w3.org/StyleSheets/TR/W3C-WD" rel="stylesheet">
</head>
<body>
<div class="head">
<!--begin-logo-->
<p><a href="http://www.w3.org/"><img alt="W3C" height="48" src="http://www.w3.org/Icons/w3c_home" width="72"></a></p>
<!--end-logo-->
<h1>The From-Origin Header</h1>
<h2 class="no-num no-toc" id="w3c-working-draft-21-july-2011">W3C Working Draft 21 July 2011</h2>
<dl>
<dt>This Version:
<dd class="publish"><a href="http://www.w3.org/TR/2011/WD-from-origin-20110721/">http://www.w3.org/TR/2011/WD-from-origin-20110721/</a>
<dt class="publish">Latest Version:
<dd class="publish"><a href="http://www.w3.org/TR/from-origin/">http://www.w3.org/TR/from-origin/</a>
<dt class="publish">Latest Editor's Draft:
<dd class="publish"><a href="http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html">http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html</a>
<!--
<dt>Previous Versions:
<dd><a href=""></a>
-->
<dt>Editor:
<dd><a href="http://annevankesteren.nl/">Anne van Kesteren</a>
(<a href="http://www.opera.com/">Opera Software ASA</a>)
<<a href="mailto:annevk@opera.com">annevk@opera.com</a>>
</dl>
<!--begin-copyright-->
<p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2011 <a href="http://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="http://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="http://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="http://www.keio.ac.jp/">Keio</a>), All Rights Reserved. W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.</p>
<!--end-copyright-->
</div>
<hr class="top">
<h2 class="no-num no-toc" id="abstract">Abstract</h2>
<p>The From-Origin Header specification defines the
<code title="http-from-origin"><a href="#http-from-origin">From-Origin</a></code> response header — a way for
resources to declare they are unavailable within an embedding context.
<h2 class="no-num no-toc" id="sotd">Status of this Document</h2>
<p><i>This section describes the status of this document at the time of its
publication. Other documents may supersede this document. A list of current W3C
publications and the latest revision of this technical report can be found in
the <a href="http://www.w3.org/TR/">W3C technical reports index</a> at
http://www.w3.org/TR/.</i>
<p>This is the 21 July 2011 First Public Working Draft <!--W3C Working Draft--> of The From-Origin Header. Please send comments to
<a href="mailto:public-webapps@w3.org?subject=%5Bfrom-origin%5D%20">public-webapps@w3.org</a>
(<a href="http://lists.w3.org/Archives/Public/public-webapps/">archived</a>)
with <samp>[from-origin]</samp> at the start of the subject line.
<p>This document is produced by the
<a href="http://www.w3.org/2008/webapps/">Web Applications</a> (WebApps) Working
Group. The WebApps Working Group is part of the
<a href="http://www.w3.org/2006/rwc/Activity">Rich Web Clients Activity</a> in
the W3C <a href="http://www.w3.org/Interaction/">Interaction Domain</a>.
<p>The contents of this document do not necessarily reflect the consensus of
the Working Group.</p>
<p>This document was produced by a group operating under the
<a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004
W3C Patent Policy</a>. W3C maintains a
<a href="http://www.w3.org/2004/01/pp-impl/42538/status" rel="disclosure">public
list of any patent disclosures</a> made in connection with the deliverables of
the group; that page also includes instructions for disclosing a patent. An
individual who has actual knowledge of a patent which the individual believes
contains
<a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential
Claim(s)</a> must disclose the information in accordance with
<a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section
6 of the W3C Patent Policy</a>.
<p>Publication as a Working Draft does not imply endorsement by the W3C
Membership. This is a draft document and may be updated, replaced or
obsoleted by other documents at any time. It is inappropriate to cite this
document as other than work in progress.
<h2 class="no-num no-toc" id="table-of-contents">Table of Contents</h2>
<!--begin-toc-->
<ol class="toc">
<li><a href="#conformance"><span class="secno">1 </span>Conformance</a></li>
<li><a href="#terminology"><span class="secno">2 </span>Terminology</a></li>
<li><a href="#introduction"><span class="secno">3 </span>Introduction</a></li>
<li><a href="#from-origin-response-header"><span class="secno">4 </span><code title="">From-Origin</code> Response Header</a></li>
<li><a class="no-num" href="#references">References</a>
<ol class="toc">
<li><a class="no-num" href="#normative-references">Normative references</a></ol></li>
<li><a class="no-num" href="#acknowledgements">Acknowledgements</a></ol>
<!--end-toc-->
<h2 id="conformance"><span class="secno">1 </span>Conformance</h2>
<p>All diagrams, examples, and notes in this specification are
non-normative, as are all sections explicitly marked non-normative.
Everything else in this specification is normative.
<p>The key words "MUST", "MUST NOT", "REQUIRED", <!--"SHALL", "SHALL
NOT",--> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in the normative parts of this document are to be
interpreted as described in RFC2119. For readability, these words do
not appear in all uppercase letters in this specification. <a href="#refsRFC2119">[RFC2119]</a>
<h2 id="terminology"><span class="secno">2 </span>Terminology</h2>
<p>The terminology used in this specification is from <cite>HTML</cite> and
<cite>The Web Origin Concept</cite>
<a href="#refsHTML">[HTML]</a>
<a href="#refsORIGIN">[ORIGIN]</a>
<h2 id="introduction"><span class="secno">3 </span>Introduction</h2>
<!-- http://tools.ietf.org/html/draft-abarth-principles-of-origin -->
<p>The Web platform has no limitations on embedding resources from different
<a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4" title="origin">origins</a> currently. E.g. an
HTML document on <code>http://example.org</code> can embed an image from
<code>http://corp.invalid</code> without issue. This has led to a number of
problems:</p>
<ul>
<li>Bandwidth "theft" — the practice of embedding resources (e.g. images or
fonts) from another server causing the owner of that server to get a higher
hosting bill.
<li>Clickjacking — embedding a resource from another
<a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4">origin</a> and attempting to let the
visitor click on a concealed link thereof, causing harm to the visitor.
<li>Privacy leakage — sometimes resource availability depends on whether a visitor is signed in to a particular website. E.g. only with a I'm-signed-in-cookie will an image be returned, otherwise an HTML document. An HTML document embedding a resource (requested with the user's credentials) can figure out the existence of that resource and thus whether the visitor is signed in and therefore has an account with a particular service.
<li>License checking — certain font licenses require that the font be
prevented from being embedded on other
<a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4" title="origin">origins</a>.
</ul>
<p>This specification attempts to tackle these problems to some extent.
<p>Privacy leakage can however still be a problem if the resource in question has different latency characteristics depending on the I'm-signed-in-cookie being present.</p>
<!--
http://scarybeastsecurity.blogspot.com/2009/12/cross-domain-search-timing.html
http://abortz.net/papers/timingweb.pdf
If the server has different latency characteristics depending on
whether the user is signed in, an attacker can still learn something
about the user's signed-in state even if the server uses From-Origin.
-->
<p class="XXX">Should we try to phase out
<code title="http-x-frame-options">X-Frame-Options</code> and replace it with
this header or extend
<code title="http-x-frame-options">X-Frame-Options</code> to cover the cases
addressed by <code title="http-from-origin"><a href="#http-from-origin">From-Origin</a></code>?
<h2 id="from-origin-response-header"><span class="secno">4 </span><code title="">From-Origin</code> Response Header</h2>
<p>The <dfn id="http-from-origin" title="http-from-origin"><code>From-Origin</code></dfn> header can
be used to restrict embedding of a resource to only certain
<a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4" title="origin">origins</a>. When used it must
match the following ABNF:</p>
<pre>From-Origin = "From-Origin" ":" #(<a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin##section-7.1">serialized-origin</a> | "same")</pre>
<p>The ABNF used is defined by HTTP. <a href="#refsHTTP">[HTTP]</a>
<p>When a resource is <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a>
these steps must be run in addition to the steps that are being run for
<a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetching</a> the resource. They
must be run as if they were part of the
<a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetching</a> algorithm's
<i>main step</i> and if a network error is to be returned rather than a
resource the <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetching</a>
algorithm must be terminated meaning e.g. cookies will not be updated. If
this algorithm ends for other reasons
<a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetching</a> must proceed as
normal.
<ol>
<li><p>If the resource being
<a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a> does not carry a
<code title="http-from-origin"><a href="#http-from-origin">From-Origin</a></code> header or it cannot be
parsed per the above BNF terminate these steps.
<!-- XXX can be improved when shit gets real -->
<li>
<p>If the resource is being
<a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a> as the result of
<a class="external" href="http://www.whatwg.org/html/#navigate" title="navigate">navigating</a> a
non-<a class="external" href="http://www.whatwg.org/html/#child-browsing-context">child browsing context</a> terminate
these steps.</p>
<p class="note">We do not want to restrict non-embedding scenarios.</p>
</li>
<li><p>Let <var title="">source origin</var> be the
<a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4">origin</a> of
the API that caused the resource to be
<a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a> or
the <a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-4">origin</a> of the
<a class="external" href="http://www.whatwg.org/html/#source-browsing-context">source browsing context</a> if the
<a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetching</a> was the result of
<a class="external" href="http://www.whatwg.org/html/#navigate" title="navigate">navigating</a>.
<li><p>Let <var title="">target origin</var> be the <span>origin</span>
of the resource being <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a>.
<li>
<p>If <var title="">source origin</var> and <var>target origin</var>
are <a class="external" href="http://tools.ietf.org/html/draft-ietf-websec-origin#section-5">same origin</a> terminate these
steps.
<p class="note">We do not want to restrict same-origin scenarios.</p>
</li>
<li><p>Let <var title="">allowed origins</var> be the values of the
<code title="http-from-origin"><a href="#http-from-origin">From-Origin</a></code> header(s) of the resource
being <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a>.
<li><p>If none of the values of <var title="">allowed origins</var> are
equal to the <var title="">source origin</var>, instead of returning the
resource being <a class="external" href="http://www.whatwg.org/html/#fetch" title="fetch">fetched</a>, return a network error
instead.
<li><p>Otherwise, proceed as normal.
</ol>
<h2 class="no-num" id="references">References</h2>
<h3 class="no-num" id="normative-references">Normative references</h3>
<div id="anolis-references-normative"><dl><dt id="refsHTML">[HTML]
<dd><cite><a href="http://www.whatwg.org/html">HTML</a></cite>, I. Hickson. WHATWG.
<dt id="refsHTTP">[HTTP]
<dd><cite><a href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a></cite>, R. Fielding, J. Gettys, J. Mogul et al.. IETF.
<dt id="refsORIGIN">[ORIGIN]
<dd><cite><a href="http://tools.ietf.org/html/draft-ietf-websec-origin">The Web Origin Concept</a></cite>, A. Barth. IETF.
<dt id="refsRFC2119">[RFC2119]
<dd><cite><a href="http://www.ietf.org/rfc/rfc2119.txt">Key words for use in RFCs to Indicate Requirement Levels</a></cite>, S. Bradner. IETF.
</dl></div>
<!--<h3 class=no-num>Informative references</h3>
<div id=anolis-references-informative></div>-->
<h2 class="no-num" id="acknowledgements">Acknowledgements</h2>
<p>Thanks to
Adam Barth,
David Singer,
Glenn Maynard
John Daggett,
Jonathan Rees,
Håkon Wium Lie,
Henri Sivonen and
Ms2ger
for their useful comments.